A Behavior-Based Online Engine for Detecting Distributed Cyber-Attacks

  • Yaokai Feng
  • Yoshiaki Hori
  • Kouichi Sakurai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10144)


Distributed attacks have reportedly caused the most serious losses in recent years. Here, distributed attacks means those attacks conducted collaboratively by multiple hosts. How to detect distributed attacks has become one of the most important topics in the cyber security community. Many detection methods have been proposed, each of which, however, has its own weak points. For example, detection performance of information theory based methods strongly depends on the information theoretic measures and signature-based methods suffer from the fact that they can deal with neither new kinds of attacks nor new variants of existing attacks. Recently, behavior-based method has been attracting great attentions from many researchers and developers and it is thought as the most promising one. In behavior-based approaches, normal behavior modes are learned/extracted from past traffic data of the monitored network and are used to recognize anomalies in the future detection. In this paper, we explain how to implement an online behavior-based engine for detecting distributed cyber-attacks. Detection cases of our engine are also introduced and some actual attacks/incidents have been captured by our detection engine.


Cyber security Distributed attacks Behavior-based detection 


  1. 1.
    Xu, S.: Collaborative attack vs. collaborative defense. In: Bertino, E., Joshi, J.B.D. (eds.) CollaborateCom 2008. LNICSSITE, vol. 10, pp. 217–228. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03354-4_17 CrossRefGoogle Scholar
  2. 2.
  3. 3.
    Tang, Y.: Defending against internet worms: a signature-based approach. In: Proceedings of 24th IEEE Annual Joint Conference of the Computer and Communications Societies (INFOCOM), pp. 1384–1394 (2005)Google Scholar
  4. 4.
    Eskin, E., Lee, W.: Modeling system call for intrusion detection with dynamic window sizes. In: Proceedings of DARPA Information Survivalility Conference and Exposition (DISCEX), pp. 165–175 (2001)Google Scholar
  5. 5.
    Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manage. 6(2), 1–12 (2009)CrossRefGoogle Scholar
  6. 6.
    Feng, Y., Hori, Y., Sakurai, K., Takeuchi, J.: A behavior-based method for detecting outbreaks of low-rate attacks. In: Proceedings of 3rd Workshop on Network Technologies for Security, Administration and Protection (NETSAP), SAINT 2012, pp. 267–272 (2012)Google Scholar
  7. 7.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 130–143 (2001)Google Scholar
  8. 8.
    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011)CrossRefGoogle Scholar
  9. 9.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–72 (2009)CrossRefGoogle Scholar
  10. 10.
    Kim, M.S., Kang, H.J., Hong, S.C.: A flow-based method for abnormal network traffic detection. In: Proceedings of IEEE/IPIP Network Operations and Management Symposium, pp. 599–612 (2004)Google Scholar
  11. 11.
    Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw. 19(5), 1396–1404 (2011)CrossRefGoogle Scholar
  12. 12.
    Snort user’s manual. Accessed 6 Nov 2016
  13. 13.
    The Bro internet security monitor. Accessed 6 Nov 2016
  14. 14.
  15. 15.
    Gates, C.: The Modeling and Detection of Distributed Port Scans: a Thesis Proposal, Technical Report CS-2003-01, Dalhousie University (2003)Google Scholar
  16. 16.
    Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of 2003 ACM Joint International Conference on Measurement and Modeling of Computer Systems, pp. 138–147 (2003)Google Scholar
  17. 17.
    Feng, Y., Hori, Y., Sakurai, K., Takeuchi, J.: A behavior-based method for detecting distributed scan attacks in darknets. J. Inf. Process. (JIP) 21(3), 527–538 (2013)Google Scholar
  18. 18.
    Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of ACM CCS Workshop on Rapid Malcode, pp. 54–64 (2004)Google Scholar
  19. 19.
    Eto, M., Inoue, D., Song, J., Ohtaka, K., Nakao, K.: NICTER: a large-scale network incident analysis system. In: Proceedings of 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 37–45 (2011)Google Scholar
  20. 20.
    Murakami, K., Kamatani, T., et al.: A proposal of method for detecting synchronized increase of attacks on multiple dataknet sensors. In: Computer Security Symposium in Japan, pp. 32–39 (2014)Google Scholar
  21. 21.
    Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of 12th ISOC Symposium on Network and Distributed Systems Security (NDSS), pp. 167–179 (2005)Google Scholar
  22. 22.
    National Police Agency of Japan: Internet Report.
  23. 23.
  24. 24.
  25. 25.
    Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring. IEICE Trans. Inf. Syst. 92(5), 787–798 (2009)CrossRefGoogle Scholar
  26. 26.
    Feng, Y., Hori, Y., Sakurai, K.: A proposal for detecting distributed cyber-attacks using automatic thresholding. In: Proceedings of 10th Asia Conference on Information Security (AsiaJCIS) (2015)Google Scholar
  27. 27.
    Yazid, I., Hanan, A., Aizaini, M.: Volume-based network intrusion attacks detection. In: Advanced Computer Network and Security, pp. 147–162. UTM Press (2008)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Kyushu UniversityFukuokaJapan
  2. 2.Saga UniversitySagaJapan

Personalised recommendations